QUESTION 30
What is NOT true with pre shared key authentication within IKE / IPsec protocol?
A. Pre shared key authentication is normally based on simple passwords
B. Needs a Public Key Infrastructure (PKI) to work
C. IKE is used to setup Security Associations D. IKE builds upon the Oakley protocol and the ISAKMP protocol.
Correct Answer: B Explanation
Explanation/Reference:
Internet Key Exchange (IKE or IKEv2) is the protocol used to set up a security association (SA) in the IPsec protocol suite. IKE builds upon the Oakley protocol and ISAKMP. IKE uses X.509 certificates for authentication which are either pre-shared or distributed using DNS (preferably with DNSSEC) and a DiffieHellman key exchange to set up a shared session secret from which cryptographic keys are derived. Internet Key Exchange (IKE) Internet key exchange allows communicating partners to prove their identity to each other and establish a secure communication channel, and is applied as an authentication component of IPSec. IKE uses two phases: Phase 1: In this phase, the partners authenticate with each other, using one of the following: Shared Secret: A key that is exchanged by humans via telephone, fax, encrypted e-mail, etc. Public Key Encryption: Digital certificates are exchanged. Revised mode of Public Key Encryption: To reduce the overhead of public key encryption, a nonce (a Cryptographic function that refers to a number or bit string used only once, in security engineering) is encrypted with the communicating partner’s public key, and the peer’s identity is encrypted with symmetric encryption using the nonce as the key. Next, IKE establishes a temporary security association and secure tunnel to protect the rest of the key exchange. Phase 2: The peers’ security associations are established, using the secure tunnel and temporary SA created at the end of phase 1.
The following reference(s) were used for this question: Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 7032-7048). Auerbach Publications. Kindle Edition. and RFC 2409 at http://tools.ietf.org/html/rfc2409 and http://en.wikipedia.org/wiki/Internet_Key_Exchange
QUESTION 31
In SSL/TLS protocol, what kind of authentication is supported when you establish a secure session between a client and a server?
A. Peer-to-peer authentication
B. Only server authentication (optional)
C. Server authentication (mandatory) and client authentication (optional)
D. Role based authentication scheme
Correct Answer: C Explanation
Explanation/Reference:
Reference:
RESCORLA, Eric, SSL and TLS: Designing and Building Secure Systems, 2000, Addison Wesley
Professional; SMITH, Richard E., Internet Cryptography, 1997, Addison-Wesley Pub Co.

QUESTION 32
What kind of encryption is realized in the S/MIME-standard?
A. Asymmetric encryption scheme
B. Password based encryption scheme
C. Public key based, hybrid encryption scheme
D. Elliptic curve based encryption
Correct Answer: C Explanation
Explanation/Reference:
S/MIME (for Secure MIME, or Secure Multipurpose Mail Extension) is a security process used for e-mail
exchanges that makes it possible to guarantee the confidentiality and non-repudiation of electronic
messages.
S/MIME is based on the MIME standard, the goal of which is to let users attach files other than ASCII text
files to electronic messages. The MIME standard therefore makes it possible to attach all types of files to
e-mails.
S/MIME was originally developed by the company RSA Data Security. Ratified in July 1999 by the IETF, S/
MIME has become a standard, whose specifications are contained in RFCs 2630 to 2633.
How S/MIME works
The S/MIME standard is based on the principle of public-key encryption. S/MIME therefore makes it
possible to encrypt the content of messages but does not encrypt the communication.

The various sections of an electronic message, encoded according to the MIME standard, are each
encrypted using a session key.

The session key is inserted in each section’s header, and is encrypted using the recipient’s public key.
Only the recipient can open the message’s body, using his private key, which guarantees the
confidentiality and integrity of the received message. In addition, the message’s signature is encrypted with
the sender’s private key. Anyone intercepting the communication can read the content of the message’s
signature, but this ensures the recipient of the sender’s identity, since only the sender is capable of
encrypting a message (with his private key) that can be decrypted with his public key.

QUESTION 33
Which of the following is true of network security?
A. A firewall is a not a necessity in today’s connected world.
B. A firewall is a necessity in today’s connected world.
C. A whitewall is a necessity in today’s connected world.
D. A black firewall is a necessity in today’s connected world.
Correct Answer: B Explanation
Explanation/Reference:
Commercial firewalls are a dime-a-dozen in todays world. Black firewall and whitewall are just distracters.
QUESTION 34
Which of the following best describes signature-based detection?
A. Compare source code, looking for events or sets of events that could cause damage to a system or network.
B. Compare system activity for the behaviour patterns of new attacks.
C. Compare system activity, looking for events or sets of events that match a predefined pattern of events that describe a known attack.
D. Compare network nodes looking for objects or sets of objects that match a predefined pattern of objects that may describe a known attack.
Correct Answer: C Explanation
Explanation/Reference:
Misuse detectors compare system activity, looking for events or sets of events that match a predefined pattern of events that describe a known attack. As the patterns corresponding to known attacks are called signatures, misuse detection is sometimes called “signature-based detection.”
The most common form of misuse detection used in commercial products specifies each pattern of events
corresponding to an attack as a separate signature. However, there are more sophisticated approaches to
doing misuse detection (called “state-based” analysis techniques) that can leverage a single signature to
detect groups of attacks.

Flydumps ISC CISSP exam sample questions help you test yourself in a real time environment of ISC CISSP Customization and Configuration certification exam. ISC CISSP from Flydumps is accepted universally. We are the online Certification Expert recognized by a worldwide audience of IT professionals and executives alike as the definitive source of training materials for the candidate seeking insight, updates and resources for vendor certifications. Special ISC CISSP training materials is designed according to the updated curriculum given by Microsoft.